On Wed, 31 May 2000, Graham Wheeler wrote:
> > Or, you could just encap the same data in say, five, DNS requests during
> > each 24 hour period..
>
> If all you're doing is stealing the bandwidth of 5 DNS requests in a
> day, tunnel away!
If you think bandwidth is the biggest risk of tunneling, you should
probably spend some time doing practical security somewhere, or spend more
time talking strategy with folks who do. Unlike a lot of industries, the
information security industry has a high number of in-the-field
practicioners who are aware of and in many cases ahead of vendor
solutions.
> > So, I still say that if a network is connected to the Internet, in any
> > fashion, it's quite possible to tunnel data (in various amounts, granted)
> > to and from it in a stealthy fashion, if there's a cooperative party on
> > the inside.
>
> I won't dispute that. But that's a hell of a lot of effort to go to, and
> you would have to have a really good reason. Like stealing company
> secrets - which in most cases, given your cooperative party on the
> inside, can be achieved a lot easier than by circumventing a firewall.
No, you really don't need a good reason. Lots of really difficult code
has been written for "no good reason" other than to write it. Ignoring an
attack vector isn't healthy in the long-run. Take a look at DDoS attacks
to see what value a compromised host has in an attacker's pocket, then
extrapolate that to millions of systems behind firewalls where security
management is normally lax.
> What most people are concerned about is abuse of company bandwidth. And
> so such tunneling exploits are much of a concern. So you did manage to
> tunnel your way to an external web proxy so you could browse
> penthouse.com on company time - I'm still going to see that you've used
> up a lot of bandwidth in the daily reports, and I can still ask you to
> justify that, or start sniffing packets to see what you're up to.
I disagree. Most corporations I've worked with aren't worried about the
bandwidth issues, especially for penthouse.com, it's liability and
security issues. Bandwith users are trivial to track down and stop.
> If you're arguing that its a way for someone to allow some external
> party to break into the corporate network, again there is usually an
> easier solution (like installing a wireless LAN card on an internal
> host, or a modem that polls an external server, or something).
That requires a targeted network. Tunnels can be the conduit provided to
and from malicious code (such as worns and viruses) to provide significant
vectors into and out of networks- both by genuine bad people and
potentially malicious employees. The ability to timebomb systems is
nothing new, and while it's generally not newsworthy that doesn't mean it
doesn't happen. Tunnels give the same sort of person the oppertunity to
surrepticiously access systems after they've been terminated and their
access credentials revoked.
> Put another way, I think these tunneling exploits are mostly of academic
> interest. But I could be wrong.
While we haven't had wide-scale exploits of tunnels, it's only a matter of
time, and if it's a million in one chance and you're the one, it's 100% in
your case.
Trending and analysis can gain precursors to mass tunneling or heavy
abuse, but don't count on it 100%.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
